Friday, January 16, 2009

Quick and dirty openLDAP replication

This is a cursory view of how to install and configure a master and slave openLDAP server pair. Unless specified, follow each step on both the master and the slave servers. The only real difference between the servers is the presence of a slurpd configuration on the master and the unique slapd configuration on both servers. In the end, you will have a syncing pair which will replicate changes from the master server to the slave server every three seconds.

A. Install OS and LDAP

1.Install your OS. I am assuming Linux, specifically RHEL or Fedora Core, but openLDAP will run on a variety of systems and these instructions can be adapted to your specific flavor.

2.On both the master and the slave, install openldap, php, httpd and the dependencies with the command (assuming RHEL or Fedora Core):
# yum -t -y install openldap-clients openldap-servers openldap php-ldap nss_ldap httpd php

B. Install and configure phpLDAPadmin (optional)

3.Install phpLDAPadmin from this website: http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page

4.Untar the download, and then copy the file phpldapadmin-<version>/config/config.php.example to phpldapadmin-/config/config.php

5.Move the phpldapadmin-<version> to /var/www/html/phpldapadmin

6.Restart httpd with the command
#chkconfig httpd on
#service httpd restart

C. Configure and test LDAP

7.Make sure that the master server's hostname is pingable from the slave and vice versa. If not, add the entries to /etc/hosts and restart networking with the command:
#service network restart

8.Copy /etc/openldap/ldap.conf to /etc/openldap/ldap.conf.orig

9.Copy /etc/openldap/sldapd.conf to /etc/openldap/slapd.conf.orig

10.Copy /etc/openldap/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG

11.Copy the configuration files to the respective servers. These are located at the bottom of this document. Make sure to copy the correct ldap.conf and slapd.conf to their respective servers.

12.Import the base dn from the base.ldif file (included later in this document)
#slapadd < /etc/openldap/base.ldif

13.Start the LDAP service
# chkconfig ldap on
# service ldap start

14.Point to http://hostname/ or http://hostname/phpldapadmin If you get a “php memory too low” error, change the memory limit to something meaningful in /etc/php.ini
memory_limit = 128M ; For example

15.The login for the server is cn=root,dc=example,dc=com and the password needs to be set with slappasswd. Use slappasswd and change the hash in the /etc/openldap/slapd.conf file.
# slappasswd
New password:
Re-enter new password:
{SSHA}At/pOvtko2KXcKfM7t0o/OPedJrpXQM0

Now enter the line with the hashed password in the file /etc/openldap/slapd.conf as shown:
rootpw {SSHA}At/pOvtko2KXcKfM7t0o/OPedJrpXQM0

16.From the phpLDAPadmin GUI or using #slapadd similar to before, import the ldif file from a backup or existing server to the master server. If you have not created or do not have a backup of the ldif file of the old directory server, the other option is to copy the /var/lib/ldap directory over to the new server. If starting from scratch, this is a mute point.

17.If syncing is working, it will be replicated on the slave server. If not, the file /var/lib/ldap/replica/openldap-master-replog on the master server will tell you why.

18.For testing the syncing and replication of the master and slave servers, add a new entry to the master server and see if the entry appears on the slave server. For testing the subordination of the slave server, create an entry on the slave server and watch as it is not replicated on the master server.

/etc/openldap/base.ldif (For both servers)
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: Example

/etc/openldap/ldap.conf (For master server)
URI ldap://127.0.0.1/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

/etc/openldap/slapd.conf (For master server)
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#Note that this should be changed based upon the hostname or user for greater security
access to *
by * read
by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}/mYjTZhwSR1hIGKt6qD0oBpHdRjeHSGh
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
replogfile /var/lib/ldap/openldap-master-replog
replica host="slave:389"
suffix="dc=example,dc=com"
binddn="cn=root,dc=example,dc=com"
credentials=changeme
bindmethod=simple

/etc/openldap/ldap.conf (For slave server)
URI ldap://127.0.0.1
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
updatedn "cn=root,dc=example,dc=com"
updateref ldap://master
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}nlb8tJHDUJCMqQMBMyMIIu26VF1ViVEu

/etc/openldap/slapd.conf (For slave server)
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Note that you should change this based upon the hostname of the master server.
access to *
by * write
by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
database bdb
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw {SSHA}/mYjTZhwsR1hIGKt6qD0oBpHdRjeHSGh
updatedn "cn=root,dc=example,dc=com"
updateref ldap://master
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
TLSCertificateFile /etc/openldap/ldap.cert
TLSCertificateKeyFile /etc/openldap/ldap.key

2 comments:

Unknown said...

is any step missing? Especially in context to certificates?

John said...

Yes, certificate generation is part of a full-fledged LDAP integration. But, it is beyond the scope of this quick and dirty replication example. This should be helpful, though:

http://vuksan.com/linux/LDAP_authentication_under_Linux.html